Look at the software in your organization in three ways: software you've purchased, software you've installed, and software that employees actually use. These are three distinct lists that can get surprisingly out of sync, and it's never good when that happens.

When software installs exceed licenses, you're out of compliance and could lose discounts and face steep "true up" fees or fines if the vendor finds out via an audit. Make that when a discrepancy is uncovered in an audit. Our InformationWeek 2014 Software Licensing Survey, completed in July, reveals that more than a third, 37%, of organizations have been audited within the last 24 months. The percentage is even higher, 40%, for companies with 500 or more employees, and separate research shows that large companies can expect six- to seven-figure fines when there are big discrepancies.

It's surprisingly easy for installs and licenses to get out of sync because enterprise software vendors, including IBM, Microsoft, Oracle, and SAP, make it easy for your employees to download software without paying for it. Vendors of enterprise software seldom lock it up with the kind of license keys used to control consumer software installs. Complicating matters are licensing terms related to virtualization, per-CPU, or business roles that confound even experienced buyers and administrators.

Even worse than getting caught on the wrong side of an audit is paying too much for software straight away. This happens when companies license software but never install it -- the dreaded shelfware. In other cases, companies license and install software that employees never use, yet they have no way of knowing it because they can't track usage. A third form of waste is emerging as more tech buying -- particularly for cloud-based software -- moves outside the IT organization. When 12 different sales and marketing types are buying SaaS-based CRM seats on their credit cards, it's impossible to get the enterprise-scale discounts your organization deserves.

The larger and more distributed the company, the harder it is to keep track of software licenses, installs, and usage. Even without the added complexity of virtualization, SaaS, and hybrid cloud environments, you're kidding yourself if you think you can manage licensing using spreadsheets and paper records.

IT asset management systems and software license optimization software go a long way toward getting software license entitlements, installs, and usage into sync. But tech won't cure all ills. Company leaders must forge a clear buying strategy that balances centralized control and the vendor bargaining leverage that comes with it with the need for departments to get exactly the right software for the job when they need it. Doing so requires IT, purchasing, and business unit leaders to work together. Finally, there's shadow IT. You must educate line-of-business leaders and IT administrators about the consequences of rogue purchasing, unauthorized installs, and changing usage patterns sparked by rising use of mobile devices.

Audits Strike Fear Let's start with the understanding that software is incredibly valuable and that vendors spend lots of money to develop software functionality. They deserve every penny that's due to them under their stated licensing terms. OK, that doesn't lessen the frustration IT leaders feel when hit with a surprise million-dollar bill after an audit turns up software they didn't know they had installed. But a vendor audit gone sour provides the impetus to improve software license management.

The right to audit is spelled out in the fine print of software contracts, and research points to rising vendor audit activity. The audit compares the software that customers have installed with what they are licensed and entitled to use. If a vendor isn't satisfied with a company's response to an initial inquiry, it has the right to run scripts on that customer's network that will uncover where its software is installed and in use.

Audits rarely turn out in the customer's favor. The average audit true-up cost for companies with about $50 million in annual revenue is $263,000, according to the 2013-14 Key Trends in Software Pricing & Licensing Survey, the latest annual report published by software license optimization vendor Flexera with input from IDC. For companies with about $4 billion in revenue, the average audit true-up cost is $1.6 million.

Apparently, a better than one-in-three chance of an audit and the prospect of a six- to seven-figure fine isn't enough to motivate many companies to take control of license management.

"I've talked to some CIOs who say, 'I don't know what my risk is of being audited, and I don't know that if I'm audited I'll be out of compliance,'" says Amy Mizoras Konary, research VP, software licensing and provisioning, at IDC and a collaborator on Flexera's annual survey. "The attitude is 'I would rather take the risk of being audited than pay to fix a problem that we might not have.' But companies that take this approach are typically rewarded with audits." (See related story, "5 Signs You'll Face A Software Audit.")

Tools Of The Trade IT's first line of insight (and audit defense) is usually IT asset management software. BMC, CA, Hewlett-Packard, IBM, Symantec, and other vendors provide general-purpose systems that correlate inventories of software and other IT assets to contracts, licenses, and equipment leases. This software is typically aimed at improving IT operations -- providing tools to detect failures across servers, storage, networking devices, software suites, and personal computers. At best, this software might discover and inventory what software is installed on which devices, but it doesn't analyze software usage and compare that with usage rights to give companies some idea if they're spending their money wisely.

In some cases, software vendors offer free tools geared toward deploying their products according to their licensing approaches. Microsoft, for instance, offers the Microsoft Systems Center Configuration Manager (SCCM), which provides remote desktop and server control, patch management, software distribution, operating system deployment, network access protection, and hardware and software inventory. IBM often requires customers to use its License Metric Tool as a way to determine how many PVUs (processor value units, an IBM licensing metric) are in use.

The trouble with vendor tools is that they don't capture every metric and deployment variable needed to manage licensing, says IDC's Konary. What's more, these tools help you with software only from one vendor, whereas

Doug Henschen is Executive Editor of InformationWeek, where he covers the intersection of enterprise applications with information management, business intelligence, big data and analytics. He previously served as editor in chief of Intelligent Enterprise, editor in chief of ... View Full Bio

Thanks for your comments. I did mention that the audit-in-the-last-two-years figure is even higher, 40%, for companies with more than 500 employees. I've seen studies from Flexera and Express Metrix with even higher figures for larger companies, but we didn't break out a higher split in our study.

What a long-overdue topic for a second look at many organizations. It's refreshing to see an an article so comprehensive on a topic that's so oft-overlooked, especially in a world of quick blogs, vague blurbs, and buzzword-laden tweets. Instead, these points are made here with plenty of numbers to back them up, insights from real people in the industry, and, most importantly, specific tips and best practices for how to do it better at your organization.You can't blame people for wanting to ignore licensing for as long as they can - it's complicated and, frankly, boring. This article makes a great case for not only why you should worry about it, but how to do so without losing sleep.

The numbers themselves do offer a bit of a mixed picture though, don't they? 1/3rd of organizations were audited in the last two years - and that doesn't say anything for the size or industry of those companies, or how those audits turned out. That still makes it sound like an okay bet to stick your head in the sand and pretend like you're not going to be audited. The cost savings and license management benefits are the real kickers to me. There are headaches other than just audits to worry about when it comes to licensing - and how great if you can get one service that takes care of all of them!

Remark: I guess it is not true to say "Christof Beaupoil, co-founder and president of IBM's Aspera Technologies", Aspera is not linked to IBM at all. There a couple of organizations named Aspera, the one involved in SAM space is not belonging to IBM.

Yes, the best defense is a good offense, especially for the mid-sized companies that don't have large IT staffs. I am surprised that 37% of companies surveyed have been audited in the last 24 months. The software vendors are investing heavily in auditing customers.

Great post. I can't stress enough the hidden benefits of finding spare software. Talk about getting kudos, when you can circulate an email that says "hey, we have 15 spare unused copies of Photoshop, anyone have a use for them?"

p.s. Microsofts SCCM is not free as is implied. In fact the licensing for it is very complex with client and server licensing and has an entire pdf devoted to trying to figure out how much it will cost you.

Midsize and larger companies deal with hundreds of software titles, and between different locations and business units, there's no way you can keep track of it all with spreadsheets and paper files. License-management and sofware-license-optimization software can help, but you'll also need policies and procedures to ensure that you're licensing only the sofware that you need and that you're getting every discount you deserve.

I cannot agree more with the points raised in this post. As IT manager, you cannot simply be reactive for software licensing to fulfil audit requirements. You need to take full responsbility for proper software licensing. It means to become on top of the issue and fully understand/manage the proper licensing fulfilling your enterprise needs.

To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.

Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.